Vulnerability CVE-2017-1000486


Published: 2018-01-03

Description:
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution

See advisories in our WLB2 database:
Topic
Author
Date
High
Primefaces 5.x Remote Code Execution
Bjoern Schuette
18.01.2018

Type:

CWE-326

(Inadequate Encryption Strength)

Vendor: Primetek
Product: Primefaces 
Version:
5.3.7
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.20
5.2.2
5.2.19
5.2.18
5.2.17
5.2.16
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.1
5.2
5.1.9
5.1.8
5.1.7
5.1.6
5.1.5
5.1.4
5.1.3
5.1.21
5.1.20
5.1.2
5.1.19
5.1.18
5.1.17
5.1.16
5.1.15
5.1.14
5.1.13
5.1.12
5.1.11
5.1.10
5.1.1
5.1
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
5.0.18
5.0.17
5.0.16
5.0.15
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.1
5.0
4.0.9
4.0.8
4.0.7
4.0.6
4.0.5
4.0.4
4.0.3
4.0.24
4.0.23
4.0.22
4.0.21
4.0.20
4.0.2
4.0.19
4.0.18
4.0.17
4.0.16
4.0.15
4.0.14
4.0.13
4.0.12
4.0.11
4.0.10
4.0.1
4.0

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html
https://cryptosense.com/weak-encryption-flaw-in-primefaces/
https://github.com/primefaces/primefaces/issues/1152
https://www.exploit-db.com/exploits/43733/

Copyright 2018, cxsecurity.com

 

Back to Top